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Create Mobile Forensic Inquiry (MFI) 

Fill in lliis form and cHck Save to start a new MFI Esccept for 'Additional Information,' all fields are required. 

il 



Case number |463352^ 



1 463352 



Case tide: |F^b;8jnBst 
Principal investigator |Rob Jc^/ce 



number or mnemonic: jdemo at 3:35pm ~ ~ ^^7^7^.. 

Location for data and ewdence: |C:\MFf^ato 

Time »nc for date/time reporting: j MFP machine's current time zo^^^ 
Additional information: 
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lLoggediavsnr::ro1b f account liogmtl 
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Select/Create MBI > 
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11 £te £tft 6q Bookmatk» Jock y£mdom Help 



Target Machine Information 

Please describe ihe target machine for the new inquiry (case number 463352. MFI demo at 3:35pm). Except for "Additional info," all fields are 
required. 



Host name or P address: |DJtcHB 



Operating system: [ Windows 2 000 



User to log in as: [rob j 

This user must have A(toinistrative/foot privilege on the target machine. 

Account location: ^ Local machine account, or 

^ Account in the Windows domain: |STAR_ORA 

Access methods to use: ^ Wmdows Mana^gement Instrumentation (WMI) 

P?: SMB/CIFS 
E SSH/SCP 
PRSH/RCP 
I?. NTS 
it: FTP 
l^iHTTP 
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Acquire State 



Acquire Files 



Data Analysis 



Data Display 



Initial Acquisition 



Select the initial accpisition operations to be performed: 



1. ^ Secmi^ event log 

2. H?; System event log 

3. 1^ Application event log 

4. F Ediemet statistics 

5. t?;Netwoilc protocol statistics 

6. P: Retrieve time and date 

7. General system infonnation 

8. R Environment variable definitions 

9. Itundiig process info 

10. Process thread information 

11. 1^ Running process tree 

1 2. f? Running service list 

13. F; Open file handles 

14. F Open DLLs 

15. P; Process/port associations 

16. F Logged in user(s) 
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17. J?; Inteifece promiscuity 
\%,% SMB connection list 

19. F Open network shares 

20. Fi IP interface conjuration 

21. F Ethernet ARP table 

22. F Afl network connections/listeners 

23. F IP routing table 

24. F Local NMB network 

25. F Files open by remote machines 

26. F NetBIOS connection statistics. 

27. F NetBIOS local name table 

28. F User account list 

29. F User account groi¥>s 

30. F Startup/logb items in registry 

31. Pi Startup/login items in profile directories 



Select All ! Select None 
Items will be acquired in numerical order, rougjily following the Order Of Volatility. 



AW I" 'f. 



Loggcdin user rob laccount niamtl : 
Case:«463552:'^ ■ 7•■••• 
]^ #: demo at 3:35pm l^t^ r ^ 
iiquiry target SlAil_ORA^'ob@atc-S (passwonJ cwihe^i 
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^ MFP. Runnins PiocessM - MoztBa 



Initial Acquire 



Acquire State 



Acquire Files 



Running Processes 



Dat;i Analysis 



Data Display 



CHck on a cohunn heading to sort by that column. The current sort column is indicated tn bold and by ascending^descending bars; to reverse the 
direction of the sort, click that column's heading. 

More detailed infonnation about a particular process is available by clicking on that process's name in ttie first column. Times are given in 
hhhanm:ss.msec format, and start times are corrected to the MFP's dock. 

Fk'ocesses mmiiiig during mitial acquire: 
Number of processes; 45 



Process 








#File 


Memory 




Kernel 


Elapsed 


Start 1 


Name 


ID 
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Threads 


Hai\dles 


Use (KB) 


IIIIIII^^SIII^ 


Time 


Time 


Time m 
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System Idle 
[Process 
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0 
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0:0:0.0 


307:13:8.94 
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System 
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£86 I<ft )£vem fio iookmafM. look iSdindow Hdp 



Initial Ar quire 



Acquire State 



Acquire Files 



Li 



Data Aoa^'sis 



Data Display 



Detailed Process Information 



In each table below, click on a heading to sort by that colunm, and click on it ag^in to reverse die sort order. All start times are corrected to the 
MFP's clock. 

IVocess info; 

FlTDcess Name: wmword 
FroressID: 1220 
Owiier/Contert: STAR_ORAVob 

Coinmaiid Line: "c:\Docujnenu and SectinB3\rob\Deslctop\cap\»inwor(i.exe'' -p -n echer host a:b:c:d:e:£ 



Fkioiitv: 
Start Time: 

Meukoiy: 



8 



Wed May 21 15:33:44 EDT 2003 



Working set 384 KB 
Working set peak: 1980 KB 
Virtual mcmoiy: 14108 KB 
Private memory 1496 KB 
Page faults: 578 
Non-paged pool: 2 
Paged pool: 14 
Page ffle usage: 1496 KB 

Times User time: 0:00:00.031 

(hhhannLss.msec) Kernel time: 0:00:00.000 
Elapsed time: 0:03:57.734 

(Data acquired ftom Wed May 21 1337:42 EDT 2003 to Wed May 21 1537:47 EDT 2003.) 



Opeu Netwoi'k Ports: 



Local AddresslLocal Hast Name Local PortiProtnc oil Remote AddresslRemote Host NamciRcmote PortlState 
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RanninS Tbreads: 

Nximbet of Uireads: 1 





Context 
Switches 


State 


Ufer 
Time 


Kernel 
Time 


Elapsed Start 
Time Time 


1 20601 8 


323 


Wait:UserReq 


0:00:00.015 


0:00:00.000 


0:03:57.734 | Wed May 21 15:33:44 EDT 2003 



Dalai souree: Process thread infon&ation ^roclistjon^ acqxared at Wed May 21 1537 Al EDT 2003 



OpenDLL^; 



Base Address 


Size 


Version 


Library Path 

..ml 


1 0x00400000 


0x106000 


I c : \ Documents and Sett ing3\rob\Desfct:op\ cap\wlnword.exe 


1 0x77(930000 


OxSbOOO 


5.00.2195.5992 Ci\¥DINT\systeiB32\iI)VAPI32.&LL 


1 0x77f40000 


0x39000 


5.00.2195.5907 


C:\UINimsy3tetti32\GDI32 .dil 


1 0x77eB0GQ0 


OxblOOO 


5.00.2195.6079 


C:\SIKNT\sy3teiiS32NKERireL32.dll 


1 0x78000000 


0x46000 


6.01.9359.0000 


C : \ UIWKT\ systein32Ml3VCRT. DLL 


1 Ox77£80000 


Ox7a000 


5.00.2195.6685 

... 


C i \ TiJIMNT\ syste»32 \ ntdll . dl 1 


j 0x00230000 


0x10000 


12.03.0000.0033 


C : \UINNT\Sy3terd32\packet.dll 


1 ax77d3CK]00 


0x6d000 


1 5,00.2195.6106 


e ; \ WBOm s YSt elia 2 \ RPGRT4 . dl 1 


j 0x77el0000 


0x5£000 


5.00.2195.6097 


C:\VINNT\svsteiii32\nSER32.dil 


I qxiOQOOOOp 


0x2d000 


'0.06.0002.000^5 


C:\USJHir\Systeiifi2\ ^pcafi^ifilil 


!j ,,,„ 

1 0x75020000 


0x8000 


15.00.2134.0001 


C:\WnnJT\System32\lIS2HELP.DLL 


|r03c;7SiS3^^0^ 


Qieisii^do 


l5,oo,.^i?i^; 


Gi\#DsnmsysteBe2\ijs2 32 .©ll 


1 0x75050000 


0x6000 


15.00.2195.4874 


C : NTJIMNTN Sy3terD32 \ ¥S0CK3 2 . dl 1 



Data soiiice: Open DLLs (dlls), acquired at Wed May 21 1537:46 EDT 2003 



Open Hie Handles: 



Number of handles: 2 
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Back fe/c!fd Reload Home Search Netscape Print Security Shop Slop , 


jl^P^III 


;:i Bookmark* Jf^ Loc^bn: 


http://192.1©B.1.176/mfp/maxgap.php 2. that's Related 


il §1 WebMail g Calendar § 


Radio gl People gl YeSow Pages g Download ^ Dumnels 



MOBILE FORENSICS PLATFORM 

aqmre | anaiyze | view log | hmil 



Log starts at Sep 11 2002 14:44:14 
Log ends at Sep 12 2002 11:44:15 



Histogram of gaiJi^sizes m log£le 
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7-21 (sec) 
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21 ^iSO (min) - 
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